From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 From: rpm-build Date: Mon, 31 Jul 2023 09:41:27 +0200 Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch-id: 9 Patch-status: | # Add check to see if fips flag is enabled in kernel From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd --- crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ include/internal/provider.h | 3 +++ 2 files changed, 39 insertions(+) Index: openssl-3.2.3/crypto/context.c =================================================================== --- openssl-3.2.3.orig/crypto/context.c +++ openssl-3.2.3/crypto/context.c @@ -17,6 +17,40 @@ #include "crypto/decoder.h" #include "crypto/context.h" +# include +# include +# include +# include +# include + +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static int kernel_fips_flag; + +static void read_kernel_fips_flag(void) +{ + char buf[2] = "0"; + int fd; + + if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } + + if (buf[0] == '1') { + kernel_fips_flag = 1; + } + + return; +} + +int ossl_get_kernel_fips_flag() +{ + return kernel_fips_flag; +} + struct ossl_lib_ctx_st { CRYPTO_RWLOCK *lock, *rand_crngt_lock; OSSL_EX_DATA_GLOBAL global; @@ -368,6 +402,7 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { + read_kernel_fips_flag(); if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) goto err; Index: openssl-3.2.3/include/internal/provider.h =================================================================== --- openssl-3.2.3.orig/include/internal/provider.h +++ openssl-3.2.3/include/internal/provider.h @@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); +/* FIPS flag access */ +int ossl_get_kernel_fips_flag(void); + # ifdef __cplusplus } # endif